Bluehost

Almost 2 weeks ago I wrote an Article for the Popular Blogging Blog ShoutMeLOud on the similar topic in which I mentioned the Smartest Way to Secure WordPress Login using Login Dongle Plugin also added more plugins to secure your blog with great security ..Well its the right time to secure your Blog using the .htaccess files so in this Article I am going to write step by step guide to secure your WordPress Blog using the .htaccess file located as hidden file in your C-panel’s Public root folder .

First of all you should must understand that What is .htaccess files?

  • .htaccess files are configuration files used by the Apache Web Server.

A Web Server is the program that is responsible for taking a request for a page on your website and returning the correct page to the visitor.
Apache is the most commonly used Web Server in  globe and if you are on a shared hosting account you are most likely using an Apache Web Server. The Web Server from Microsoft is called IIS (Internet Information Services) and does not use .htaccess files.

  • .htaccess files are extremely powerful.

Most Important Points :

As you are about to do modifications to your .htaccess file this is  an effective way of preventing/saving your WordPress site from being Hacked, For instance a Hacker can “re-direct all incoming traffic to your website to another website effectively stealing your traffic.”

  • Some hacks redirect only incoming traffic from search engines. This means that if you open your WordPress site by typing the URL or via a bookmark you will see your site working normally. Only users who found your site via search will be redirected.

Before Proceeding to next step I want you to read Following points carefully :-

Important! Even a small typing mistake in the .htaccess file can stop your WordPress site from working.

  • If anything does go wrong you can restore access to your site by restoring the original .htaccess file.
  • Copy the original .htaccess file to your computer before you start editing.

Important! When you have completed work on the .htaccess files please ensure you test your WordPress site comprehensively. Especially your contact form, comment posting and any other user input on your site needs to be tested.

Important! You should must have the Backup of your WordPress Blog before making changes to your .htaccess file otherwise as I wrote before even with a single mistake your site may Stop working

So now Let’s get started with This Process of securing your WordPress site using .htaccess File

First of all ,you need to locate your .htaccess file in your C-Panel’s Public root folder by clicking on the Option of Show Hidden Files or you can watch this video about How to Locate .htaccess file in  C-Panel?

 once you got it download it on your Computer and then its the perfect time to Update The .htaccess File

Before you start editing your .htaccess file should look similar to this:

# BEGIN Cache Plugin

# END Cache Plugin
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L] RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L] </IfModule>
# END WordPress

Got it ? Yeah ,now you Don’t make changes to the code which is already in the file. The code at the top for Cache Plugin will only be present if you use a caching plugin like W3 Total Cache or WP Super Cache (best for beginners and for blogs having normal traffic)
Now,the next step is you have to  add a few lines of code at the Top marked in bold – explained below:-

Options All -Indexes
# Stop access to sensitive files
# Protect .htaccess
<Files .htaccess>
Order Allow,Deny
Deny from all
Satisfy all
</Files>
# Protect readme.html
<Files readme.html>
Order Allow,Deny
Deny from all
Satisfy all
</Files>
# Protect wp-config.php
<files wp-config.php>
Order Allow,Deny
Deny from all
Satisfy all
</files>
# Protect php.ini
<files php.ini>
Order Allow,Deny
Deny from all
Satisfy all
</files>
# Protect error_log
<filesMatch "^(error_log)$">
Order Allow,Deny
Deny from all
Satisfy all
</filesMatch>
# Block the include-only files
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# BEGIN Cache Plugin

# END Cache Plugin
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L] RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L] </IfModule>
# END WordPress

Huh Is it was a tough task :P now,let’s see the changes we had done after saving this file

1.We protect a number of files with sensitive information from access from the Internet. These files might expose information such as WordPress version number, database prefixes and server configuration etc.

• .htaccess – contains sensitive information about the server configuration and
protection.
• wp-config.php – contains information about your database name, user, password and table prefix.
• readme.html – contains the WordPress version number.
• php.ini – contains sensitive information about the server configuration and protection.
• error_log – can contain information about your file paths and database table names.

and now if the visitors try to access any of these Files , they would see:-

access-denied

2. Disable Directory Browsing
For Exapmle whwn  you go to www.mywebsite.com/wp-content/uploads you will likely see a result like this:

disable-directory-browsing-in-wordpress

And now , the visitors will  see this:

access-forbidden-wordpress

Looks Great ,Isn’t it ?

So this was about the Tutorial of How to Secure WordPress using .htaccess Files .

If you think you’re not able to do all this and found it a bit risky ,you can hire Me to do so ,I will also add a few more security checkouts and make your Blog 90% secure :P because i believe no Blog can be 100% secure as if  a hacker is desperate to hack your Blog then there is no way Out :D (I used this line on my post about securing WordPress Admin Panel at ShoutMeLoud) and for Hiring Me to do this you need to Contact me using this Contact Me page (i will charge a bit :D) plus for this article I also love to give credit to wpsecuritychecklist.com :)

WELL I am done now , and it’s Your Turn to let Me know if you find this article Informative of facing some Issues ? Let’s Catch Up in Comments >>

Share and Enjoy